A DevSecOps Tale of Business, Engineering, and People
4 likes5,065 views
The document discusses the evolution of DevSecOps, emphasizing an integrated approach to security within the DevOps framework, driven by the complexities of modern software delivery and cloud environments. It highlights the importance of experimentation, empathy, and continuous measurement, while drawing parallels to historical events, such as the 1896 train crash, to illustrate the necessity of proactive measures in preventing failures. Overall, it advocates for a cultural shift in organizations to enhance collaboration between security and development teams.
![“[Securitybyrisk
assessment]
introducesa
dangerous fallacy:
thatstructured
inadequacyis almost
as good asadequacy
and that underfunded
securityefforts plus
risk managementare
aboutas goodas
properlyfunded
securitywork”](https://image.slidesharecdn.com/crush-texas-presoi-v3-190913161501/85/A-DevSecOps-Tale-of-Business-Engineering-and-People-70-320.jpg)
![“[Deploys] can be
treatedas
standard or
routine changes
thathave been
pre-approved by
management,and
thatdon’trequire
a heavyweight
change review
meeting.”](https://image.slidesharecdn.com/crush-texas-presoi-v3-190913161501/85/A-DevSecOps-Tale-of-Business-Engineering-and-People-119-320.jpg)
![“[Chaos Engineering is]
empiricalratherthan formal.
We don’tuse modelsto
understandwhatthe system
should do.We run experiments
to learnwhat itdoes.”
Michael Nygard, Release It 2nd Ed.
@wickett](https://image.slidesharecdn.com/crush-texas-presoi-v3-190913161501/85/A-DevSecOps-Tale-of-Business-Engineering-and-People-168-320.jpg)
![“The security discipline of
[chaos] experimentation is
done in orderto build
confidence inthe system’s
abilityto defend against
malicious conditions.”
Aaron Rinehart
@wickett](https://image.slidesharecdn.com/crush-texas-presoi-v3-190913161501/85/A-DevSecOps-Tale-of-Business-Engineering-and-People-169-320.jpg)
A DevSecOps Tale of Business, Engineering, and People
- 2. JamesWickett Sr. Sec Eng & Dev Advocate @ Verica Author, LinkedIn Learning Organizer, DevOps Days Austin, Serverless Days ATX DevSecOps Days Austin Author, DevSecOps Handbook (In progress) @wickett
- 3. @wickett
- 4. Get the slides now wickett@verica.io @wickett
- 5. verica.io An enterprise platform for Continuous Verification, using Chaos Engineering principles, to take a proactive and measured approach to preventing availability and security incidents. @wickett
- 12. 1896 introducedthe ideaofrunningtrain crashes for Funand Profit @wickett
- 16. @wickett
- 18. 200 LawOfficersandaJail Dozenwaterwells Watertankers Concessions from Dallas Preachersand Politicians Midwaywith Games @wickett
- 20. @wickett
- 22. @wickett
- 23. Engineers evaluated boilers Laid 4 miles oftrack Crowdat200yards Pressat100yards @wickett
- 24. Word gotout, Thomas Edison wantedto film it @wickett
- 25. @wickett
- 27. “The rumble ofthetwo trains, faintand far offat firstbut growing nearer and more distinctwith each fleeting second,was likethe gathering force ofa cyclone” @wickett
- 28. @wickett
- 29. Thetrains collided atcombined speed between 90and 120 mph @wickett
- 30. @wickett
- 32. @wickett
- 33. @wickett
- 35. @wickett
- 36. Aftermath: » 4 people died » Crush fired » Widespread injuries during incident » More injuries after incident » Town shut down » Lawyers brought in for settlements @wickett
- 37. @wickett
- 38. @wickett
- 39. Fallout @wickett
- 40. Days later Crush rehired Retired from the MKT 44 years later @wickett
- 42. But, Inthe hundreds ofevents post- Crush,the boilers held @wickett
- 43. What I learned: Chronocentrism exists Engineering is hard Blame is easy @wickett
- 48. credit to Josh Zimmerman, the original DevOps Jack Handy
- 50. First, Understand DevOps and howwe got here @wickett
- 54. @wickett
- 56. “DevOps is the inevitable resultofneedingto do efficient operations in a distributed computing and cloud environment.” Tom Limoncelli @wickett
- 57. “DevOps is nota technological problem. DevOps isa business problem.” Damon Edwards @wickett
- 58. DevOps isan epistemological breakthroughjoining disparate peoplearounda common problem @wickett
- 59. DevOpswas needed to fixthe inequitable distribution of labor @wickett
- 63. Iasked myselfthis same question @wickett
- 64. @wickett
- 65. Securityfinds itselfinthe same positionthat operations did inthe movementofDevOps @wickett
- 68. Security, like ops strugglesto provide value in most organizations @wickett
- 69. “Companiesare spendingagreatdeal on security, butwe read ofmassive computer-related attacks. Clearly something iswrong. The rootofthe problem istwofold:we’re protectingthewrong things,andwe’re hurting productivity inthe process.”
- 70. “[Securitybyrisk assessment] introducesa dangerous fallacy: thatstructured inadequacyis almost as good asadequacy and that underfunded securityefforts plus risk managementare aboutas goodas properlyfunded securitywork”
- 71. “While engineeringteams are busy deploying leading-edgetechnologies, securityteamsare still focused on fighting yesterday’s battles.” SANS 2018 DevSecOps Survey @wickett
- 72. "manysecurity teamsworkwitha worldviewwhere their goalisto inhibit change as muchas possible"
- 73. Newtechnology(cloud, k8s, serverless, ...)and increased organization focus on software deliveryiswhywe need DevSecOps. @wickett
- 74. A Highly Desireable New Breed: The DevSecOp @wickett
- 76. An inclusive person participating inthe movementof securityinto devops. @wickett
- 78. Maker Driven Experimenting Automating SafetyAware Unrestrained Sharing Ruggedizing Empathy @wickett
- 79. MEASURE @wickett
- 81. Weare software engineers who specialize inaspecific discipline: security @wickett
- 83. Whyisthis considered ahottake in our industry? @wickett
- 88. @wickett
- 89. The Entire Security Team Must Participate in Software Delivery @wickett
- 90. Empathybuilding Familiaritywithtools Ableto move upthe pipeline @wickett
- 92. DefectDensity studies range from .5to 10 defects per KLOC @wickett
- 94. With framework/ deps, 500 LOCyou write can easilybe 400,000 LOC
- 95. Hot take: You cannottrain developers towrite secure code @wickett
- 96. Instead, focus on Methods Developers use » TDD/BDD/ATDD » Meaningful comments/commits » Code Smells, Patterns, Refactoring » Instrumentation, Observability @wickett
- 97. “The goalshould beto come upwithasetof automatedtests that probeand check security configurations and runtime system behavior for securityfeatures thatwillexecute everytimethe system is builtand every time itis deployed.”
- 101. Maker Driven means » See security as part of engineering » View quality as a way to bring security in » Use code, not vendors to solve problems @wickett
- 102. MEASURE @wickett
- 104. Benefitsto Experimentation » Measured, Repeatable » Results based on your needs » Actionable Outcomes @wickett
- 105. “Securityincidents are not effective measures ofdetection becauseatthatpoint it'salreadytoo late” Aaron Rinehart @wickett
- 107. KnowMostLikelyAttacks and Howto MeasureAbuse and Misuse @wickett
- 108. “We can'tcede home fieldadvantage” Zane Lackey @wickett
- 110. Resources » Shannon Lietz (@devsecops) » DOES 2018 Talk: youtu.be/yuOuVC8xljw @wickett
- 111. MEASURE @wickett
- 112. Automation @wickett
- 115. “Continuous Deliveryis how littleyou can deployatonetime” Jez Humble & David Farley @wickett
- 116. Optimizetotalcycle time from code committo running in prod @wickett
- 117. 15,000deploys in 3.5 years @wickett
- 118. Securityinthe Pipeline » Software composition analysis » Lang linters, git-hound, ... » Scanners, gauntlt » Monitoring and telemetry @wickett
- 119. “[Deploys] can be treatedas standard or routine changes thathave been pre-approved by management,and thatdon’trequire a heavyweight change review meeting.”
- 120. Resources: @wickett
- 123. MEASURE @wickett
- 124. SafetyAware @wickett
- 126. Simple Systems: Linear in nature Easyto Predict Ableto comprehend @wickett
- 127. Complex Systems: Non-linear (bullwhipeffect) Unpredictable in nature No mentalmodelavailable @wickett
- 128. Weabstractcomplexity » Human beings » Societial issues » Psychological issues » Cognitive load @wickett
- 129. Software deals with complexitythrough abstraction @wickett
- 130. RootCause (inacomplex system) isaMyth » Lacks full picture » Complex systems are not linear » Result of blame culture » Forgets organizational decisions » Puts the focus on the event over situation @wickett
- 131. “Drifting into failure is a gradual, incremental decline into disaster driven by environmental pressure, unruly technologyand social proccessesthat normalize growing risk. No organization is exempt from drifting into failure” @wickett
- 132. Boeing 737Max » Maneuvering Characteristics Augmentation System (MCAS) » MCAS commands the trim without notifying the pilots » This is software @wickett
- 134. High-speed decision making inan up- tempo environment @wickett
- 135. Software is eating theworld @wickett
- 136. “The growth of complexityin societyhas got ahead ofour understaindin g of how complex systemswork and fail”
- 137. @wickett
- 138. @wickett
- 140. “Failures are a systems problem because there is not enough safety margin. ” @adrianco @wickett
- 142. Where SecurityFits » Add safety margin » Telemetry and instrumentation » Blameless retros » ...more to explore in this area @wickett
- 143. Resources » Drift into Failure by Dekker » Understanding Human Error Video Series youtu.be/ Fw3SwEXc3PU » @jpaulreed coverage of Boeing medium.com/ @jpaulreed » Richard Cook paper bit.ly/2ydDQS2 @wickett
- 144. MEASURE @wickett
- 146. “Culture isthe most importantaspectto devops succeeding inthe enterprise” Patrick DeBois @wickett
- 147. DevSecOps isthe extension ofthe DevOps culture for the inclusion of Security @wickett
- 148. “Asecurityteamwho embraces openness aboutwhatitdoes and why, spreads understanding.” Rich Smith @wickett
- 153. Four Keysto Culture » Mutual Understanding » Shared Language » Shared Views » Collaborative Tooling @wickett
- 155. SecuritySharesThrough » Making invisible as visible » Security Observability » APIs, webhooks, dev tooling @wickett
- 158. Resources » Phoenix Project » Agile Application Security » dearauditor.org @wickett
- 159. MEASURE @wickett
- 161. @wickett
- 163. Favor ShortLived Systems Cattle notPets @wickett
- 165. Ruggedization in 2020 1. Deception 2. Chaos Engineering @wickett
- 166. Deception » Honeypots, Tarpits, Mantraps » Simple to get started (http headers) » HoneyPy, DeceptionLogic @wickett
- 167. “We’re moving from disaster recovery to chaos engineering to resiliency” @adrianco @wickett
- 168. “[Chaos Engineering is] empiricalratherthan formal. We don’tuse modelsto understandwhatthe system should do.We run experiments to learnwhat itdoes.” Michael Nygard, Release It 2nd Ed. @wickett
- 169. “The security discipline of [chaos] experimentation is done in orderto build confidence inthe system’s abilityto defend against malicious conditions.” Aaron Rinehart @wickett
- 170. Chaos Engineering » Experiments that span eng and security » Manual opt-out » Valuable Learning » Controlled experiment blast radius @wickett
- 171. Resources » Aaron Rinehart's talk at RSA youtu.be/wLlME4Ve1go » principlesofchaos.org » Release It! 2nd ed., Nygard » Phillip Maddux's talk: youtu.be/k81xKjCEeqE » Herb Todd's talk: youtu.be/Cf_XXmRLnRQ @wickett
- 172. MEASURE @wickett
- 173. Empathy @wickett